July 2018

July 12, 2018

As Dark Readingreported recently, insurers have sued Trustwave for a whopping $30 million for its 2008 Heartland data breach. Amazing to think that the massive Heartland Payment Systems data breach happened in 2008.

Insurance firms Lexington Insurance Co., of Massachusetts, and Beazley Insurance Co., of Connecticut, filed suit in the Circuit Court of Cook County, Illinois on June 28th claiming professional malpractice by security firm Trustwave Holdings Inc. in the 2008 data breach of Heartland that led to the insurers paying some $30 million in claims. Trustwave had certified the company as PCI DSS-compliant prior to the attack.

The lawsuit followed a Trustwave court filing on June 22nd in Delaware that petitioned the court to rule the insurers' demands moot due to statute of limitations on the case, and that Trustwave did not breach its audit contract with Heartland. Trustwave filed the case after the insurers sent the firm a letter demanding payment for insurance it paid out related to the breach. Lexington and Beazley upped the ante by taking the suit to court in Illinois.

"The insurers' spurious demand related to a decade-old breach is entirely without merit. Trustwave initiated this lawsuit in order to obtain a judgment accordingly and intends to pursue this matter vigorously," Trustwave said in a statement provided to Dark Reading.

Trustwave also said its PCI assessment isn't the equivalent of managing security for Heartland.

Trustwave's PCI DSS assessment of Heartland was no guarantee that the company had not been or would not breached, according to Trustwave. "Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame or make any claim against Trustwave," the company said.

Lexington and Beazley's lawsuit claims Trustwave was responsible for the breach at Heartland and that the security firm had handled PCI DSS assessments, vulnerability scans, and compliance testing services for the payment processor starting in 2005, according to a report by The Cook County Record. The complaint claims the 2009 breach is connected to the SQL injection attack that began on July 24, 2007, on Heartland's system and harvested magnetic stripe data. Malware was planted on May 14, 2008, the suit said, and Trustwave's testing didn't detect it, the report noted.

Trustwave certified Heartland as PCI DSS-compliant in 2007 and 2008 after its audits. Visa conducted its own investigation of the PCI DSS certification and found multiple PCI DSS violations. In 2015, most of the breach litigation was settled. Lexington paid $20 million in insurance reimbursements, while Beazley paid $10 million.

Andrew Hay, co-founder and CTO of Leo Cyber Security, says the lawsuit against Trustwave is bad news for security companies.

"I think this sets a very dangerous precedent for security companies providing services. The customer does, and should, have an expectation of protection as a result of deploying mitigating controls. What's missing in the vendor space, however, are strict rules of engagement related to the proper deployment, management, and monitoring of said controls – both technical and documentation/program," he says. "It's one thing to deploy a tool to address an issue, but it's an entirely different challenge to operationalize the control from a program perspective." He further said that security vendors can't guarantee their products or services are a cure, but instead should position their offerings as a way to help lessen the blow of threats if they are properly deployed, for instance.

I certainly agree with that. Our contracts always note that there is no guarantee that security services can insulate anyone against a breach. With threats and attack surfaces changing all the time, such a guarantee would make no sense. But this case will be closely watched – and no doubt many security vendors will take a look at upping their cyber insurance.

Heartland's hack exposed130 million US debit and credit card accounts – the largest breach ever recorded at the time. The incident, first made public in January 2009, led the company to up its security posture with end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology.

July 11, 2018

I am fond of the SANS "OUCH! Newsletter" (so much so that I signed up) and was struck by a recent post (thanks Dave Ries) on phone call attacks and scams.

There are two big advantages to using a phone to scam you. First, unlike e-mail, there are fewer security technologies that monitor phone calls and can detect and stop an attack. Second, it is much easier for bad guys to convey emotion over the phone, which makes it more probable that they can con their victims.

The attackers usually want your money, information, or access to your computer (or all three). They do this by tricking you into doing what they want. The bad guys create scenarios that seem very urgent. They want to get you scared so you won't think clearly, and then hurry you into making a mistake. Some of the most common examples include:

The caller says that they are from a government tax department or a tax collection service and that you have unpaid taxes. Oh yes, I've gotten those calls. They explain that if you don't pay your taxes right away you will go to jail. They then pressure you to pay your taxes with your credit card over the phone. Hang up. Tax departments, including the IRS, never call or e-mail people. All official tax notifications are sent by regular mail.

Maybe the caller pretends they are Microsoft Tech Support and explains that your computer is infected. Yes, I've gotten those – and at least two of my lawyer friends were taken in by these calls. It took a considerable amount of time to clean those messes up. Once they convince you that you are infected, they pressure you into buying their software or giving them remote access to your computer. Microsoft will not call you at home. Neither will Apple.

You get an automated voicemail message that your bank account has been canceled, and that you have to call a number to reactivate it. I feel left out here – I've never gotten this call. When you call, you get an automated system that asks you to confirm your identity and asks you all sorts of private questions. This is really not your bank- they are simply gathering your information for identity fraud.

When someone calls you and there is a sense of urgency, be suspicious. If they say you may go to jail if you don't do something, be suspicious. Once you sense an attack, hang up. If you want to confirm that the phone call was legitimate, go to the organization's website (such as your bank or credit card) and get the customer support phone number and call them directly yourself. That way, you know are talking to the real organization. Both John and I have done this several times. Annoying, but safer.

Don't trust Caller ID. Criminals can spoof the caller number so it looks like it is coming from a legitimate organization or has the same area code as your phone number – even the subsequent three numbers of your phone number.

Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how they can infect your computer and harvest your data – or continuously monitor your activities.

If a phone call is coming from someone you don't know, let the call go directly to voicemail. This way, you can review unknown calls on your own time. We do this all the time. Most of the time, the fraudsters don't even bother to leave a voicemail. You can enable this by default on many phones with the "Do Not Disturb" feature.

You are your own best defense – remember to be skeptical of all the scams listed above. I just hang up on them, but John sometimes enjoy "having fun" with them. This usually results (ultimately) in curses from the bad guys. I recommend simply hanging up – no point in pissing off a criminal.

July 10, 2018

On July 9th, The Washington Post published a post (I like The Cybersecurity 202 – you might want to subscribe) about the deletion of more than 70 million Twitter accounts since May, at an astonishing rate of more than 1 million per day. There have been months of public criticism of Twitter for not doing enough to wipe out the bots and trolls that used Twitter to spread disinformation during the 2016 election.

If the suspensions continue at this rate, they could go a long way toward curbing the types of automated social media offensives the Russian government carried out in 2016. Part of what made the Kremlin's disinformation campaign so successful was its use of constantly tweeting bots to amplify divisive posts, inflame political tensions and mislead voters

"While it certainly won't stop the abuses and weaponization of this space, it makes it much harder on those trying to automate such acts," said Peter Singer, a strategist at the nonpartisan think tank New America. "Previously, the barriers to entry to automating abuse and disinformation were incredibly low. This was both because the corporate incentives were more focusing on user numbers and a general Silicon Valley problem of turning a blind eye to how their babies had grown up into battlefields."

Action finally took place after sustained pressure from Congress and internal reviews which revealed that tens of thousands of automated accounts were connected to the Russian government. It will take a lot of resources to keep this battle going and it will cause a dip in Twitter's monthly user numbers. A double-edged sword, this battle. And of course, the Russians will be looking for ways to end-run Twitter's defenses. As with all cybersecurity defenses, we are playing a complex game of whack-a-mole.

Twitter officials started arguing for a broader assault on the suspect accounts after learning that many bot accounts used by Russian operatives weren't actually created for disinformation campaigns but were existing accounts that were purchased on the black market.

Rather than merely assessing the content of individual tweets, Twitter began studying thousands of behavioral signals, such as whether users tweet at large numbers of accounts they don't follow, how often they are blocked by people they interact with, whether they have created many accounts from a single IP address, or whether they follow other accounts that are tagged as spam or bots.

Twitter is understandably concerned about its bottom line, but I am glad it finally recognized its duty to do something about interference with our elections prior to November.

July 09, 2018

As Naked Securityreported recently, the Electronic Frontier Foundation (EFF) has a new plan to curb e-mail snooping. The post begins by describing the efforts of Let's Encrypt, a non-profit project that's supported and sponsored by a number of high-profile internet companies and other non-profits.

The project is best known for helping websites make the switch to secure HTTP, better known as HTTPS, the protocol that puts the padlock in your browser. HTTPS, simply put, is regular HTTP transmitted by means of an underlying network protocol known as Transport Layer Security, commonly known by the abbreviation TLS.

You need a TLS security certificate, and a trusted third-party needs to sign it. Let's Encrypt not only made the process simpler but also waived the fees for issuing signed security certificates, resulting in a huge decrease in the number of websites that refused to bother with HTTPS at all.

The new question is - what about e-mail encryption? Can folks eavesdrop on your e-mail?

The good news is that if you use one of the major webmail services, and send e-mail to another major webmail user, your e-mails are almost certainly encrypted and safe in transit. But plenty of non-webmail servers still aren't bothering with server-to-server mail encryption, or are encrypting in a sub-standard way.

So the EFF, one of the groups behind the Let's Encrypt project, has announced a related effort called STARTTLS Everywhere for the world's e-mail ecosystem. The word STARTTLS comes from the command used in the SMTP email protocol to switch into encrypted mode, and the STARTTLS Everywhere project aims to get everyone not only to use STARTTLS, but also to use it properly.

Read the post to see the ongoing problems and how the EFF proposes to help solve them. In part, the EFF will extend the Let's Encrypt system so that e-mail administrators can quickly and easily add TLS support for free. One dicey problem is that there is no downgrade protection. Unlike HTTPS connections from your browser, which start out using TLS and then talk HTTP over the secure-from-the-outset channel, e-mail connections start out unencrypted and "upgrade" themselves to TLS later on after the STARTTLS command is used. An eavesdropper who can alter the unencrypted part of a mail connection can therefore strip out the STARTTLS commands, sneakily turning a connection that was supposed to be encrypted into one that can be snooped on. Not a good thing.

One possible solution is a draft Internet standard called MTA-STS, proposed by experts from Microsoft, Google, Yahoo! and Comcast. MTA-STS allows a mail server to use an HTTPS connection – because secure HTTP is something we already know how to do well – to declare its preference for using e-mail encryption, and thereby to prevent a downgrade attack.

EFF is also helping out by hosting its own database called the STARTTLS Policy List, hosted on its own secure servers, that keeps track of e-mail systems that meet minimum standards for SMTP encryption.

I find myself continually applauding the good work of the EFF. Once again, bravo!

July 05, 2018

What is happening to ransomware? As ZDNetposted, in 2017, high-profile incidents like the WannaCry and NotPetya ransomware were in the news all the time. Stories about Bad Rabbit, Locky and Cerber abounded.

Kaspersky Lab's latest Kaspersky Security Network report claims that ransomware as a whole is "rapidly vanishing" with a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year. A recent threat report by McAfee Labs also suggests a drop in the detection of ransomware attacks -- putting the decline at 32 percent.

A key factor behind the decline is the rise of cryptocurrency mining malware and low-level cyber criminals shifting their attention to 'cryptojacking' as a simpler, less risky means of illicitly making money.

These cryptojacking attacks involve attackers infecting a PC with malware which secretly uses the processing power to mine for cryptocurrency -- usually the relatively simple-to-mine Monero -- which is deposited into their own wallet. Unlike ransomware, it's stealthy and so long as the infection isn't discovered, it will continue to deliver the attacker a steady stream of income. The subtle nature of the attack has boosted the popularity of cryptojacking throughout 2018.

Don't feel safe just yet. Ransomware still remains a threat -- as evidenced by a March attack on the City of Atlanta, which encrypted data and led to the shutdown of a large number of online services. The city didn't pay the ransom, but the impact of the attack is projected to cost Atlanta at least $2.6 million.

The Atlanta attack came as a result of SamSam, a family of ransomware which has been in operation since 2015. Potentially vulnerable targets were specially sought out in order to ensure that the ransomware could be set to spread across the network once the hackers activate the attack.

Victims often pay tens of thousands of dollars to retrieve their files: in January a hospital paid out a $55,000 bitcoin ransom following a SamSam infection -- despite having backups available, because paying up was the quickest way to get systems back online. Targeting the ransomware has proven quite profitable.

Another successful ransomware variation is GandCrab which first appeared in January and has received updates ever since. "GandCrab is using agile technology because they're using techniques which are like the software industry. They're patching their ransomware on an almost daily basis, they fix bugs as they go along -- it's a really nice approach," Yaniv Balmas, malware research team leader at Check Point, told ZDNet.

The new kid on the block is DataKeeper, which surfaced in February. Those behind it are serious enough that they monitor research blogs which mention it. "They're applying a lot of technical best practice, they're an active adversary. We see the DataKeeper guys looking at security research blogs and releases of detection -- and soon as something is released, a very short time later they're changing and updating their stuff," James Lyne, global research advisor at Sophos, told ZDNet.

Ransomware may have lost some ground, but it remains profitable for criminal and a headache for victims who can't afford to be out of business. And it takes longer to realize profits from cryptocurrency mining. But you do fly under the radar, unlike ransomware, so it is directionally where many folks are going.

Behind much of the potency of ransomware is the EternalBlue SMB vulnerability which allowed WannaCry, NotPetya and other ransomware attacks to self-perpetuate around networks. Unpatched systems abound, and they are still vulnerable.

Ransomware remains a threat – don't forget that while cryptocurrency mining is now grabbing all the headlines!

July 03, 2018

The ABA Journalreported on June 29th that the new data privacy law in California will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties. The law takes effect in January 2020.

The New York Times calls the law, the California Consumer Privacy Act, one of the most significant regulations of data collection in the United States. USA Today says the law is the nation's toughest for online privacy protection, and it could serve as a model for other states.

The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request. It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.

Businesses are not allowed to discriminate against consumers who exercise their rights under the law by denying them service, charging them different prices or providing a different level of quality. But businesses can offer financial incentives for collecting and selling information, and may offer differing prices that are directly related "to the value provided to the consumer by the consumer's data." That strikes me as muddying the waters, but time will tell.

A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail to maintain reasonable security procedures provided certain steps are followed. Consumers can't sue unless they first notify the business and the state attorney general, and if the business doesn't correct the problem in 30 days and the state attorney general does not bar the suit. That doesn't strike me as a lot of money for what would be considerable effort on the part of the hacking victim.

Intentional violations could incur civil penalties of up to $7,500 per violation.

The law impacts companies with California customers that gross at least $25 million a year, or interact with information to 50,000 or more people, or make more than half their revenue from selling personal information.

It will be interesting to see what real life impact the law has – and whether other states choose to adopt similar laws.

July 02, 2018

In the most recent edition of the Kennedy-Mighell Report podcast, our friends Dennis Kennedy and Tom Mighell offer their advice on how to delete data safely. There are a lot of issues to consider and Dennis and Tom do a good job of discussing them. And they are right – if you are talking about hard drives, especially solid state hard drives, having them professionally shredded is your best bet.

The comic highlight for me was finding out that Dennis has a slightly maniacal side – I laughed out loud at his obsessive endeavor to physically destroy a hard drive – the story involves a drill, a pickaxe and hydrochloric acid. How can you resist giving that a listen?

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.